Staying safe online in universities
Even if you spend quite some time at the university, you probably haven’t noticed how much personal data they collect and store. In the best-case scenario, this private information includes name, gender, address, ID number, email address, phone number, and other details. In the worst case, academic institutions may record:
- Photo IDs
- Ethnic origin
- Sexual orientation
- Religious beliefs
- Criminal convictions
- Disciplinary details
- Fee payment details
- Academic records
- Physical and mental health records
In most cases, all the information collected is necessary to keep the university running smoothly. However, despite the necessity of this data collection, personal information is often confidential and highly valuable. Therefore it’s normal to worry about your data privacy in universities, and what can be done to keep it more secure.
Do universities face data breach risk?
Whenever an institution is storing data, there’s always a risk of a data breach – the leak of private information, whether intentional or unintentional.
University data breaches can happen in many ways. With hackers getting smarter day by day, it would be impossible to give a final list of the ways to steal data from universities. However, it’s possible to group them into three broader categories:
Cyberattacks are digital attacks launched by hackers to access, obtain or damage data. One of the most common cyberattack forms is phishing, where hackers spoof university websites and emails to get unaware students and teachers to reveal their data.
This method was successfully used by an Iranian hacking group from 2013 to 2018, stealing a massive 31.5 TB of data from over 300 universities around the world.
2. Insider leaks
It may surprise you to learn that half of all data breaches come from insiders rather than hackers. In universities, this often involves some angry professor who has been fired or disciplined and decides to purposedly leak information to harm his Alma Mater.
3. Physical theft
Physical theft is one of the least popular methods to obtain data in our days, but it still happens. If universities hold physical records, attackers may break into the places where they’re held and steal or damage them.
Access keys and cards are also at risk of physical theft because often they give access to restricted areas and sometimes even computers.
How do data breaches harm universities?
If a data breach hits a university, it might cause serious, even irreparable harm to the institution in different ways. Some of the most troublesome are:
- System manipulation: Students and teachers using personal data to access the university’s system and change grades, manipulate admissions decisions, or even cause reputational harm.
- Ransomware: Hackers can break into a system, encrypting important information like personal data or research logs and demand a ransom payment to decrypt it. Sadly, not all hackers care to give back access after they receive the money.
- Financial risk: Universities might get fined for data breaches or forced to spend millions repairing the system.
How do data breaches harm students and staff?
Even more troubling is the risk posed to students and university staff whose data was leaked. These risks include:
- Identity fraud: With enough information, a hacker can access bank, phone, or shopping accounts.
- Reputational damage: Exposing sensitive data, such as mental and physical health records, past criminal convictions, and sexual orientation can jeopardize someone’s chances of employment or destroy relationships.
How safe is your personal data?
You probably have one question: how safe is the data stored in universities? And what are the chances that the staff and students might suffer the data breach consequences described above?
To prevent data breaches, universities are expected to adhere to six data protection principles to keep personal information safe, private, and protected:
- Lawfulness, fairness, and transparency: Universities must abide by state and federal law, keep students and staff informed of data rules, and reveal a person’s private data to them for free in one month.
- Purpose limitation: Universities can collect private information only if they have a specific purpose for it and cannot use it for any other purpose without the owner’s consent.
- Data minimization: Universities must collect the minimum amount of data required to fulfil their needs adequately.
- Accuracy: Universities have to keep their data updated, fixing any inaccuracies, errors, or incomplete fields within one month.
- Storage limitation: When the information is no longer needed, the university must delete it within a reasonable time frame.
- Integrity and confidentiality: Universities are expected to do all in their power to keep information safe and secure, combining technical and organizational measures to protect personal information from unauthorized access, accidental loss, or damage.
The GDPR and university data safety
These six principles above were laid out by the General Data Protection Regulation (GDPR), which came into effect on May 2018. The GDPR is the set of European laws that govern all “data controllers,” including universities. These regulations are widely considered to be the world’s strongest data protection rules, and those who break them are subject to massive fines.
In the past, the maximum fine was £500,000 per incident. In 2018, not long before the GDPR came into effect, the University of Greenwich was fined just £120,000 for leaking personal and sensitive data of 19,500 students. To make matters worse, that was already the second data safety incident at the University of Greenwich. A serious data leak in 2016 revealed highly sensitive student information, such as mental health, asylum applications, and more.
Now, if some university doesn’t comply with the regulations in the new GDPR, it faces a fine of up to €10 million for smaller offenses and €20 million for larger ones.
Will GDPR be enough to prevent data breaches?
Having the tight rules and financial risk involved in mind, one would assume the data that universities hold is adequately protected. But while universities are making efforts to adhere to the GDPR, it remains to be seen whether that will be enough.
The issue is that, to a degree, the GDPR rules are still open to interpretation. The data principles don’t specify any procedures that need to be followed. It’s left to each university to set its own local rules governing personal and other data. These rules must be in line with the GDPR, but what is “fair” and “adequate” to one university may be considered overkill by another.
For example, the University of Durham has decided that the retention period for the personal data of individual students will be a maximum of 6 years after graduation. However, the University of Loughborough frowns upon such an idea and plans to keep it for 10 years. Now, which of these two universities is adequate? Are they both doing enough to protect the personal information of their students?
What’s more, each university has different methods of ensuring the security and privacy of their records. A university’s ability to protect against cyberattacks in part depends on password criteria. The risk of an insider leak is increased or reduced based on how many people have access to restricted data leaks.
Whether hard copies can be stolen depends on whether they exist and how securely they’re kept if they do. Of course, password criteria, data access, and hard copy storage habits vary, and some rules aren’t strict enough to adequately protect against a breach.
On top of that, many universities simply don’t do enough to prevent students and teachers from accidentally leaking data. Consider phishing attacks, for example. These are often preventable, but has your university adequately informed all its staff and students how to spot rogue emails and when to avoid entering their login details?
Therefore, while data stored in universities is safer than ever under the GDPR, it’s never completely safe from a breach. Luckily, there are ways to mitigate that risk. One great method is to use a university VPN.
What role do university VPNs play?
A VPN (Virtual Private Network) is a service that changes the way you access the web. VPNs reroute all your traffic through a remote server. The main benefit of using a VPN is privacy – it hides and encrypts all your traffic so no one can easily identify your IP address or break into your connection to steal your information.
Most universities offer a free, opt-in VPN service to all staff and students. Information on how to log in to the VPN may be given to all students and staff upon joining the university, but in most cases, you’ll need to apply for access by contacting the IT department.
Unlike typical VPNs, which give access to a variety of servers all over the world, university VPNs give access to the university’s intranet. VPN allows students and staff to connect to the university network securely from anywhere in the world. It also helps ensure data privacy and protection against leaks by greatly reducing the risk of a cyberattack.
Imagine a professor traveling on a research project who needs to use a free wifi network to access students’ information. If she connects openly to a public network, anyone with minimal tech know-how will be able to snoop on her traffic, steal login details, and access a huge array of data. However, if a university allows off-campus connections only to those using the university’s VPN, they can ensure that personal information is never left exposed and unencrypted.
While VPNs alone aren’t enough to protect against data breaches, they are very helpful cybersecurity tools. If you study or work at a university, contact the IT Service Desk to learn how to use the VPN. Finally, if you work in IT or with sensitive data and you don’t yet have a VPN set up, now is the best time to do so.
Since the advent of the GDPR, personal information collected and stored by universities is much safer than it was in the past. But when it comes to cybersecurity, it’s vital to remember that no matter how strong and closely followed the rules are, it’s impossible to make yourself 100% immune to cyberattacks, data leaks, and identity theft.
That’s why it’s so important to use additional methods like VPN services to protect private information. The more methods you combine, the harder it will be for hackers to steal your data.